Android: DoubleLocker ransomware encrypts data and changes PINs

A new breed of Android ransomware has been discovered that hits victims with a double whammy. DoubleLocker not only encrypts data as all ransomware does, it also changes the PIN on the target device.

DoubleLocker was discovered by security researchers at ESET. They say that the ransomware abuses Android accessibility settings, and is the first to use a double-lock approach. Based on previously released banking malware, it is though that a test version of DoubleLocker could have been in the wild since as early as May.

Despite the banking roots, the ransomware is focused purely on extracting money from victims as a ransom — it is not capable of accessing banking details stored on a phone or tablet. DoubleLocker spreads as a fake version of Adobe Flash Player, and it uses a clever trick to ensure that it gets activated — enabling accessibility services and then setting itself as the default home app.

Setting itself as a default home app — a launcher — is a trick that improves the malware’s persistence. Whenever the user clicks on the home button, the ransomware gets activated and the device gets locked again. Thanks to using the accessibility service, the user doesn’t know that they launch malware by hitting Home.

Once active, DoubleLocker will first change the device’s PIN to a random number. It is not stored on the target device, so there is no way to determine what it is. This is the first incentive for a victim to pay a ransom, and once this has been paid, the PIN can be remotely reset. Encrypting data using AES encryption algorithm, appending the extension “.cryeye” is the second incentive.

Štefanko notes

The encryption is implemented properly, which means that, unfortunately, there is no way to recover the files without receiving the encryption key from the attackers.

If you have a backup of your data, it is possible to remove the ransomware without having to cough up any money, as ESET shares:

The only viable option to clean the device of the DoubleLocker ransomware is via a factory reset.

For rooted devices, however, there is a method to get past the PIN lock without a factory reset. For the method to work, the device needed to be in the debugging mode before the ransomware got activated.

If this condition is met, then the user can connect to the device by ADB and remove the system file where the PIN is stored by Android. This operation unlocks the screen so that the user can access their device. Then, working in safe mode, the user can deactivate device administrator rights for the malware and uninstall it. In some cases, a device reboot is needed.